I tried this sequence of commands and for the delete works in this case, so I am not really sure why it would not in my actual live indexes.
POST test_delete-filebeat-7.14.0-2022.05/_doc/
{
"message": "10.42.224.236 - 26/May/2022:06:15:58 +0000 \"GET /index.php\" 200",
"@timestamp" : "2022-05-30T12:56:07.985Z"
}
POST test_delete-filebeat-7.14.0-2022.04/_doc/
{
"message": "10.42.224.236 - 26/May/2022:06:15:58 +0000 \"GET /index.php\" 200",
"@timestamp" : "2022-04-30T12:56:07.985Z"
}
GET /test_delete*/_search
{
"query": {
"bool": {
"must": [{
"multi_match": {
"type": "phrase",
"query": "\"GET /index.php\" 200",
"lenient": true
}
}],
"filter": [
],
"should": [],
"must_not": []
}
},
"sort" : [
{ "@timestamp" : "desc" }
]
}
POST /test_delete*/_delete_by_query
{
"query": {
"bool": {
"must": [{
"multi_match": {
"type": "phrase",
"query": "\"GET /index.php\" 200",
"lenient": true
}
}],
"filter": [ ],
"should": [],
"must_not": []
}
}
}
I actually added the first record twice so the result of the delete is
{
"took" : 28,
"timed_out" : false,
"total" : 3,
"deleted" : 3,
"batches" : 1,
"version_conflicts" : 0,
"noops" : 0,
"retries" : {
"bulk" : 0,
"search" : 0
},
"throttled_millis" : 0,
"requests_per_second" : -1.0,
"throttled_until_millis" : 0,
"failures" : [ ]
}